Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
23-09-2024 15:42
General
-
Target
f296876ebba9dbd1085b55b219b3e869_JaffaCakes118.exe
-
Size
384KB
-
MD5
f296876ebba9dbd1085b55b219b3e869
-
SHA1
d9ddcb36580ccee4687b5efcb8c7d6a3bdbc7703
-
SHA256
1506227b3ca0429e22ae401eed7eea7b7eedb4a50f80d496bfb0a93c50c13d5b
-
SHA512
9b0942e8f993faf6d18689bab8ae368b2da5eedee1bee0acdfd5f9444bc15027d447fc8ae72989ee52f58771865907ece85d32a6a312b5a9c7fe70b4db0d0e4d
-
SSDEEP
6144:HQMHIy84D4yxhkLAlsC+erjEU0R+f5DerHWQL1ZFGjg0AWO5rGMlukVt45yl07gc:HWF4D4YkE+ugTk6TQBABNKkVtEyl/
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+omtch.txt
teslacrypt
http://tt54rfdjhb34rfbnknaerg.milerteddy.com/E3116616D12D8F3
http://kkd47eh4hdjshb5t.angortra.at/E3116616D12D8F3
http://ytrest84y5i456hghadefdsd.pontogrot.com/E3116616D12D8F3
http://xlowfznrg4wf7dli.ONION/E3116616D12D8F3
Signatures
-
TeslaCrypt, AlphaCrypt
Ransomware based on CryptoLocker. Shut down by the developers in 2016.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (390) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Deletes itself 1 IoCs
-
Drops startup file 3 IoCs
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f296876ebba9dbd1085b55b219b3e869_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f296876ebba9dbd1085b55b219b3e869_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f296876ebba9dbd1085b55b219b3e869_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f296876ebba9dbd1085b55b219b3e869_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\pslcspajovul.exeC:\Windows\pslcspajovul.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\pslcspajovul.exeC:\Windows\pslcspajovul.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT5⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3068 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /noin teractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Windows\PSLCSP~1.EXE5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\F29687~1.EXE3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD53a29c9c9e8f75fead9c1114926557044
SHA1aaa81b3b447cc8fcd33d7f41122091b2c9e7b560
SHA2560a47103b55f10a07598180fe4ef6ed86fb4be2ee36f361e0256d36faea6c5614
SHA5120818725bf5580de3428e88cb29dec4dec8ecd8a50fc7f6d56a16576d997e837fc3f17624ae57e69d1f4a9f9700821449c8e151553db53b39e03f91f965132575
-
Filesize
62KB
MD51b3fb302cddd8e989a03ff3dffe43957
SHA193e3a44ae168ba656cf09a2f15c20672eafd9e52
SHA2562e21647929ed9275b7a5214acf661d06424c13372c945fffbe04049cacc73067
SHA5121ad7924b4d808a785edb72c5c1cf5dda031288b76f9584a96c96feb9ed0671a038f87648dc2cb866e6f66426cb462d7f342916c9081b61f8b57e41ef28cef216
-
Filesize
1KB
MD5ab238b3a04871d7fa9f8230dda57a9bf
SHA1600949fab6002df48a80d643d8378f6a50fc3816
SHA25600cbe4df59174d5c2dd82afd979f8e370424b76c2780b27791c6f5c414e73186
SHA5123064a4cce5382609622526a2b8da1dfd1285d1bad420119e8162e641890ad230b7e6c3d0e482494e0a675de51a3525756e84653b7f604ff76b84f043b5e25f99
-
Filesize
11KB
MD5251c1a8747e145dcbff701c546433c8a
SHA143435c0244bab1492d58f06148955b64cc3165bb
SHA2569968455053e0f47887045ac10a022cabfae9e61881257d0cdb113c3c3156ea50
SHA512f9ea25382d47ee68c54c34416cabaee961235fc8d2b274267ae63ee566d3bd483559b1836d967d760c78a3698c2d41db4bab9439dc65070cd7ddcc3c6deda781
-
Filesize
109KB
MD5b26f244824c32582b97107411c5811db
SHA11f55ed46ba0efd080ebdbc3a5705efab9923ae45
SHA256e3cb0352ec284e21f46af6c92fcd8720881c47c0b00b4b9e19a94611469e8b47
SHA5126203a29713b93a0a2858c1322638412285b4438df9c35cb2acb0c188d9e91d7e753509b4915a7626e78810266a3a51573e352aff46a3e83dbade3f35ae8f8b73
-
Filesize
173KB
MD52c17baae94505296975a4cf4584cfc16
SHA17607664f2fa3cffd2fcdbb3d613595d912c7272f
SHA25602085642886e1f5b346adfa398015fafed7e9f48197d7f37462c8c18c298d48b
SHA512ba834df98bf8e4d4509f64a58a05901350b7cc1e21cc22b27a1645ca2611e55517fd3e6d2fe6a9feb7f1e486d422b5873c9f7de520b9db2202400ec5cebb613b
-
Filesize
342B
MD506222c9681c4d0486c94dd95286b2c8f
SHA1d24438d7ddabb0f325510abe794269958fbaea40
SHA256a36efeb080298449bc36b849380acba8704432ef5df4c6094ef45533e7901480
SHA512f11dd4609c7d2ddc495ea80924c0e7053b16488af6597c6868c8a589577a22ef879fe0cb83d628e4f378ce2892cbe575c2520d9546786e105e20fe61c63798eb
-
Filesize
342B
MD5a8eec817b5bf8369e7304bb4c4bd8204
SHA1c5d8582b64a01d02c1ef5b457806829569ee221f
SHA256b80f4272722ecccc18c237e33452efdc0817431e79c270e51cafcbed0a9d1613
SHA5128be10dfdea4f90af7ddcae4b45e2f4328d18312b70e440b98e3792e7b09f706519bdc1983e1255b468b4b600802f35c3cf8256ec2bab6730875d5f736690469c
-
Filesize
342B
MD5de9b2adb4daf6654d7ffecb3436d1039
SHA1ca7fbd5635d6cb97296b194bf786b653ec1d0299
SHA2566cea4b6fe80085da6dd1ca92686dfbb0ab108542f44bc37d8d679b391f8f11d5
SHA51296ba2671bdc56b7d0ba74af0ba39d812966672722372cfb3d3a742c0d762c9d64807cbd6887503448db86c9da722bacfeb6e969b6c061305181188aba63b74d9
-
Filesize
342B
MD5d74354c418c206a797be41ce4d4af436
SHA1d9b1245160a9b687f397838d0ec04a027f69bf49
SHA2567269ebdc08720031c28a8e88d4cd8bdda190f55ff924152cc2d72f87756d3e80
SHA512063a17cb525df3eff338247d58e66cc828983dd4128bde4a8bb219e87ab6eca643d295da61c3aaebbeeaad02563b0d2e57a506583743672f7cd31a092bc50a40
-
Filesize
342B
MD5786451e465952d917ceba237d3c5c3b2
SHA1e59d83af732f8221f6a3043bde3988c05103aa5d
SHA256d088b068bdd31dca110b47ce1bc74c3ed44bef9f0d49132619ad12ff7fe008bf
SHA5125e24ccb7482932add82f456174fd7fafa0f56bafbf11a0a2ba318526801a3446a9b450c895ef0151f49144873dba78e04016174ea9b94da1abf73f9320b46879
-
Filesize
342B
MD5c4cd1fda221ea1696fff64bec47a9d75
SHA13eeddf5969c0b9f6d7b9042a4760cea10b2adb8b
SHA25613e37e6c59192ee4c48dda957c18c07b11d64e318b387702693a1cf8353ac9f1
SHA512eb7d494f1633df956e0a1735425c5c0e84f44b08044354752c2838b1f40bcfc5659303b76d9f4c634351e77bbdc126f72c39b13dccde834328874d9779b355bd
-
Filesize
342B
MD5bf4d3a275a02d5f2918b0d6d34318f56
SHA15afbfe56146a8245d47eb685d16b36238b5fff58
SHA256b0b57f27cde0364d3b4ed886558857cd22266ef3b40fbcee08dab0d2078e0792
SHA51240a9f61731fdeea9888922f3f9e2c3c5b649ccf6c8f0cbc7fbbe8e61092ac2890f53950280a8e9d165d8520f00da662df50d4d9e1250823ce04e06ccf2f58027
-
Filesize
342B
MD5960ffd17863f5a70471704c64c99a070
SHA1d0a65d3f5c6709e8188c8ea34d50e8a0b0588409
SHA25613de9e61eee057287d30456f7138cd74175feced854fa1bab35ce80327156ade
SHA5121b53ee1a63cf32b5b235d7a38fcb9dda512b74b39635bd4434491015a3cf6f7810bcf8e7a5bb8c0e5af8437cc3cd6d0a8bddf1a02ab4e4b55004a552f14d3419
-
Filesize
342B
MD5033919d8cec29713e76dbee77114b491
SHA1fab9c6a38b2c7ce60de48bcf030ef56ddd670849
SHA256361f9b5c72bd56ab2e54e98c26b9cc50613da920a19e39f4423563f648830f12
SHA5126c2a7686497a17f2c6f4c9edca283fecae7687d7d47446a443864fafc0d6a5af9272991d6c45cab4d2074bbdadf2c2bbda728465a1c1435a868defb507b5cd3b
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
384KB
MD5f296876ebba9dbd1085b55b219b3e869
SHA1d9ddcb36580ccee4687b5efcb8c7d6a3bdbc7703
SHA2561506227b3ca0429e22ae401eed7eea7b7eedb4a50f80d496bfb0a93c50c13d5b
SHA5129b0942e8f993faf6d18689bab8ae368b2da5eedee1bee0acdfd5f9444bc15027d447fc8ae72989ee52f58771865907ece85d32a6a312b5a9c7fe70b4db0d0e4d
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
4KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
980KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
8KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
536KB
-
Filesize
8KB
